MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78f4cb6ed265c721890f28d96e33ce8b2defae0d8c71eaafbbc75199ca270d23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78f4cb6ed265c721890f28d96e33ce8b2defae0d8c71eaafbbc75199ca270d23
SHA3-384 hash: 6cda605aefa85412692401c51c5eced626694ca7d8cdb9b4d358fb74389924687d6379135340f94e3a2a54065af10e4d
SHA1 hash: 978170de87dfd5135cf0b3da9fb7900453caf1ec
MD5 hash: 64245815b907d80151c520a10f3e83b0
humanhash: leopard-kansas-tango-lemon
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'307'824 bytes
First seen:2022-11-23 09:12:33 UTC
Last seen:2022-11-23 10:57:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 17b2ad48aed5c3e9ae0df2624b0fa2b2 (2 x LgoogLoader, 1 x RemcosRAT, 1 x RedLineStealer)
ssdeep 24576:DjryZExuywyuvh9AVtjmSNXPIq7k2dzeFuUFOqdD3Gv:DjryZExF/qSN/Iq4eeFXFtD2v
Threatray 116 similar samples on MalwareBazaar
TLSH T1C155CF86F412C0AFF96BB8795EC283957462D052A147B5A4EFCC8B0C778CA7153BDA31
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e6b960c0dcf97395 (1 x LgoogLoader)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:kuraraydental.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-27T00:34:45Z
Valid to:2023-01-25T00:34:44Z
Serial number: 048f06662481eedc8912255625b96cb89bba
Thumbprint Algorithm:SHA256
Thumbprint: a1f0d262b868b05cfe168a24af32f4eb15e0b6b971c796ed05f8c0cf531b0e40
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://185.246.221.114/files/ADS.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-23 09:14:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fa99c2c8-edb3-4a0d-bfae-8c3152a78d06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337519/
Detection(s):
SecuriteInfo.com.Generic.ML.PUA.9710.29891.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/637de4209c57db591d88c34a/reports/ea85cb12-4907-4dfd-9d0f-796e26756242/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a3f57da-9289-44a0-b8c9-3c8ee96ed90d
Result
Threat name:
RedLine, lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1119547
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected lgoogLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 752264 Sample: file.exe Startdate: 23/11/2022 Architecture: WINDOWS Score: 100 37 api.ip.sb 2->37 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 11 other signatures 2->51 8 file.exe 19 2->8         started        signatures3 process4 dnsIp5 41 www.sssupersports.com 172.67.206.152, 443, 49704, 49705 CLOUDFLARENETUS United States 8->41 43 64mmqjmj2ay2gv5dueha7eimond4zjlg.ehjiqr5zd 8->43 29 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 8->29 dropped 31 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 8->31 dropped 33 C:\Users\user\AppData\...\resource[1].bin, PE32+ 8->33 dropped 35 C:\Users\user\AppData\...\library[1].bin, PE32 8->35 dropped 53 Writes to foreign memory regions 8->53 55 Allocates memory in foreign processes 8->55 57 Drops PE files with benign system names 8->57 59 2 other signatures 8->59 13 svchost.exe 3 8->13         started        16 ngentask.exe 8->16         started        18 ngentask.exe 8->18         started        file6 signatures7 process8 signatures9 61 Antivirus detection for dropped file 13->61 63 Multi AV Scanner detection for dropped file 13->63 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->65 73 3 other signatures 13->73 20 InstallUtil.exe 2 13->20         started        23 InstallUtil.exe 13->23         started        25 InstallUtil.exe 13->25         started        27 InstallUtil.exe 13->27         started        67 Contains functionality to infect the boot sector 16->67 69 Contain functionality to detect virtual machines 16->69 71 Contains functionality to inject code into remote processes 16->71 process10 dnsIp11 39 109.206.243.58, 49711, 81 AWMLTNL Germany 20->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78f4cb6ed265c721890f28d96e33ce8b2defae0d8c71eaafbbc75199ca270d23/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2022-11-23 09:13:10 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pd2mw3wsmxdsdcipfdmw4m6ormw67lqnrry6vl53y5iztsrhburq._file
Verdict:
malicious
Similar samples:
44192d53830cd0b58bd4c3213649104f23f5c5cb2d4f1168d2d07654e841b907
LgoogLoader
4f1f7b8e2fc6d9fb748e37d981d6e6cb9e5de29eab70eda27189da4e86bc8c88
LgoogLoader
6aa8c7811e02d48797f51fd635e97060112122222638a725306ba6b690f691d1
LgoogLoader
a04acbc25f52864d80fd101aee07ba1817750087610620f57196319a8f0f5bf1
LgoogLoader
ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb
LgoogLoader
be7096119b86de54f3a82c8059e372396169c30d2300d4ec768f4065e4b1b9a7
LgoogLoader
e438b0686e14786fa975d2d724c0fb8615e868a1210c57e0323d537cbb08c665
LgoogLoader
e806601047d5a080ababc1274c39cd1916583124166b985ca65b08f0a0e6feea
LgoogLoader
f2f2fa1f2bfab812eb154d51fa5d22b303639f8a74442b9ef14e4be678fad1ee
LgoogLoader
+ 106 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221123-k6qx1sdg2z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Unpacked files
SH256 hash:
bb91595bba44ab86638d4f4b899c0d9d57270580c4acef49fba785b6eb7bc1a2
MD5 hash:
878442be8fc5f0ba35d6d6072f5d01b1
SHA1 hash:
d4a5985e9d03ea8902ad909fc8708fd0481b422a
Link:
https://www.unpac.me/results/a50825af-0f4e-40b9-889f-1366668a2c0c/
SH256 hash:
78f4cb6ed265c721890f28d96e33ce8b2defae0d8c71eaafbbc75199ca270d23
MD5 hash:
64245815b907d80151c520a10f3e83b0
SHA1 hash:
978170de87dfd5135cf0b3da9fb7900453caf1ec
Link:
https://www.unpac.me/results/a50825af-0f4e-40b9-889f-1366668a2c0c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/78f4cb6ed265/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/78f4cb6ed265c721890f28d96e33ce8b2defae0d8c71eaafbbc75199ca270d23

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2431067/
Cape
Cape
https://www.capesandbox.com/analysis/337519/

Comments